# NOTE: docker-compose.yml healthcheck probes the Caddy admin API at
# 127.0.0.1:2019 (Caddy's default admin listen is `localhost:2019`, i.e.
# IPv4 loopback; the probe uses the literal IP so busybox wget can't try
# ::1 first). Do NOT add a global `{ admin off }` block or rebind admin
# without also updating the healthcheck, or Caddy will restart-loop.

{$DOMAIN} {
    reverse_proxy supersync:1900 {
        # Allow up to 85 seconds for long-running operations
        # (snapshot generation, large imports)
        # MUST be greater than Fastify timeout (80s) but less than client timeout (90s)
        transport http {
            dial_timeout 10s
            response_header_timeout 85s
        }
    }

    # Security headers
    header {
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        Referrer-Policy strict-origin-when-cross-origin
        -Server
    }

    # Enable compression
    encode gzip zstd

    # Logging
    #
    # Redact the `token` query param from the logged URI. The WebSocket endpoint
    # authenticates via `?token=<JWT>` (browsers can't set headers on a
    # WebSocket), and that JWT is valid for 365 days with no rotation — so
    # without this filter every WS upgrade writes a year-valid, full-sync
    # credential to stdout / `docker logs`. `token` is only ever a query param
    # carrying an auth secret (the WS JWT, plus the email-verification,
    # passkey-recovery and magic-login links), never a benign field, so
    # redacting it across this site block is targeted and safe. See #8343.
    log {
        output stdout
        format filter {
            wrap console
            request>uri query {
                replace token REDACTED
            }
        }
    }
}
